checkers-poster-200810-oopsla.ppt - checker-framework

farrightSoftware and s/w Development

Aug 15, 2012 (4 years and 10 months ago)

350 views

Compile
-
time Typechecking for Custom Java Type Qualifiers

http://pag.csail.mit.edu/jsr308

Mahmood Ali, Matthew M. Papi, and Michael D.
Ernst
















Program Analysis Group, MIT CSAIL

Type qualifiers:




Improve

documentation



Find

bugs

in

programs



Guarantee the
absence of errors




Aid compilers and analysis tools



Reduce the need for assertions and run
-
time checks

Motivation

javac parses

input files

javac calls

typechecker

plug
-
in

javac finishes

compilation,

writes class files

javac reports

errors and

terminates

checker finds

no errors

checker finds


errors

Goals

1. Allow programmers to
write type qualifiers


List<
@NonNull

String> names;

ResultSet executeQuery(
@Untainted

String query);




Planned for inclusion in Java 7



Backward
-
compatible
:

qualifiers

in

comments


-

Use

it

today!


class Folder<F extends
/*@Existing*/

File> {...}

class UnmodifiableList<T>


implements
/*@ReadOnly*/

List<T> { ... }



2. Allow
compile
-
time verification

of qualifier semantics:


Using a Checker

Effective

Usable

Bugs
FP
Ann.
Found
Missed
Checker
8
0
4
35
0
8
1
0
0
8
0
0
FindBugs
Jlint


Scales to > 200, 000 LOC




Each checker found errors in every code base it
ran on (including itself)




Few false positives


Nullness Tools comparison:


4KLOC code base


Ann. = annotations inserted by programmer

FP = false positives (suppressed by an annotation or
assertion)

javac
-
processor NullnessChecker [
source files
]



Programmers found the checkers easy to use




Tool support: javac, Ant, Eclipse, Netbeans




Not too verbose



-

@NonNull
: 1 per 75 lines



-

@Interned
: 124 annotations in 220KLOC


revealed 11 bugs




Possible to annotate part of program




Fewer annotations in new code



Case studies details:


“Practice Pluggable Types in Java,” ISSTA
2008

Simple Checkers



Example: Tainting checker checks usage of
untrusted data


Complete checker:



@TypeAnnotation


@SubtypeOf(Unqualified.class)


public @interface Untainted { }




Simple checkers require no code



-

declarative syntax for common use




Featureful:



-

Type Rules: assignments, overriding, etc



-

Polymorphic (Java Generics)



-

Flow
-
sensitive type qualifier inference



-

Qualifier default



-

Warning suppression


Sophisticated Checkers

Writing a Checker



Checkers for expressive type systems for:



-

@NonNull
: nullness errors



-

@Interned
: incorrect equality tests



-

@ReadOnly
: undesired side
-
effects






Sophisticated checkers are concise:



Override a method for each special check



-

Nullness: dereferencing



-

Interning: equality test




Publicly available:



http://pag.csail.mit.edu/jsr308



website includes all checkers and



documentation